commit: 9996c079375c4db6aa9a5b35f3e947608c4b99c5 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Jun 5 06:41:40 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Jun 5 06:44:57 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9996c079
net-firewall/nftables: backport crash fix; add test infrastructure Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/nftables-1.0.3-optimize-segfault.patch | 64 ++++++++++++++++++++++ .../files/nftables-1.0.3-test-shell-sets.patch | 21 +++++++ ...tables-9999.ebuild => nftables-1.0.3-r1.ebuild} | 48 +++++++++++----- net-firewall/nftables/nftables-9999.ebuild | 48 +++++++++++----- 4 files changed, 153 insertions(+), 28 deletions(-) diff --git a/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch new file mode 100644 index 000000000000..95e53adc0b2f --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.3-optimize-segfault.patch @@ -0,0 +1,64 @@ +https://git.netfilter.org/nftables/commit/?id=59bd944f6d75e99fe0c8d743e7fd482672640c2d + +From: Pablo Neira Ayuso <pa...@netfilter.org> +Date: Wed, 1 Jun 2022 10:14:22 +0200 +Subject: optimize: segfault when releasing unsupported statement + +Call xfree() instead since stmt_alloc() does not initialize the +statement type fields. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609 +Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix") +Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> +--- a/src/optimize.c ++++ b/src/optimize.c +@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule) + clone->nat.type_flags = stmt->nat.type_flags; + break; + default: +- stmt_free(clone); ++ xfree(clone); + continue; + } + +--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft ++++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft +@@ -1,4 +1,10 @@ + table ip x { ++ set s { ++ type ipv4_addr ++ size 65535 ++ flags dynamic ++ } ++ + chain filter_in_tcp { + } + +@@ -6,6 +12,7 @@ table ip x { + } + + chain y { ++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept } + meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp } + log +--- a/tests/shell/testcases/optimizations/merge_vmaps ++++ b/tests/shell/testcases/optimizations/merge_vmaps +@@ -3,11 +3,16 @@ + set -e + + RULESET="table ip x { ++ set s { ++ type ipv4_addr ++ flags dynamic ++ } + chain filter_in_tcp { + } + chain filter_in_udp { + } + chain y { ++ update @s { ip saddr limit rate 12/minute burst 30 packets } accept + tcp dport vmap { + 80 : accept, + 81 : accept, +cgit v1.2.3 diff --git a/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch new file mode 100644 index 000000000000..c5f93e20eea6 --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.3-test-shell-sets.patch @@ -0,0 +1,21 @@ +https://git.netfilter.org/nftables/commit/?id=3835de19fe5773baac5b79f35484d0f0e99bcfe1 + +From: Pablo Neira Ayuso <pa...@netfilter.org> +Date: Wed, 1 Jun 2022 18:17:02 +0200 +Subject: tests: shell: sets_with_ifnames release netns on exit + +Missing ip netns del call from cleanup() + +Fixes: d6fdb0d8d482 ("sets_with_ifnames: add test case for concatenated range") +Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> +--- a/tests/shell/testcases/sets/sets_with_ifnames ++++ b/tests/shell/testcases/sets/sets_with_ifnames +@@ -13,6 +13,7 @@ ns2="nft2ifname-$rnd" + cleanup() + { + ip netns del "$ns1" ++ ip netns del "$ns2" + } + + trap cleanup EXIT +cgit v1.2.3 diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.0.3-r1.ebuild similarity index 82% copy from net-firewall/nftables/nftables-9999.ebuild copy to net-firewall/nftables/nftables-1.0.3-r1.ebuild index fa427dadfaab..d4ace7fe057b 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-1.0.3-r1.ebuild @@ -3,15 +3,16 @@ EAPI=7 -PYTHON_COMPAT=( python3_{8..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/"; if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}"; BDEPEND=" @@ -22,13 +23,13 @@ else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -55,6 +57,11 @@ REQUIRED_USE=" libedit? ( !readline ) " +PATCHES=( + "${FILESDIR}"/${P}-optimize-segfault.patch + "${FILESDIR}"/${P}-test-shell-sets.patch +) + pkg_setup() { if kernel_is ge 3 13; then if use modern-kernel && kernel_is lt 3 18; then @@ -70,13 +77,9 @@ pkg_setup() { src_prepare() { default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -119,6 +122,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -128,6 +142,11 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -149,7 +168,7 @@ src_install() { pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -172,6 +191,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service." diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index fa427dadfaab..d4ace7fe057b 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -3,15 +3,16 @@ EAPI=7 -PYTHON_COMPAT=( python3_{8..10} ) DISTUTILS_OPTIONAL=1 -inherit autotools linux-info distutils-r1 systemd verify-sig +PYTHON_COMPAT=( python3_{8..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel (3.13+) firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/"; if [[ ${PV} =~ ^[9]{4,}$ ]]; then - inherit git-r3 + inherit autotools git-r3 EGIT_REPO_URI="https://git.netfilter.org/${PN}"; BDEPEND=" @@ -22,13 +23,13 @@ else SRC_URI="https://netfilter.org/projects/nftables/files/${P}.tar.bz2 verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.bz2.sig )" KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-netfilter )" fi LICENSE="GPL-2" SLOT="0/1" -IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs xtables" +IUSE="debug doc +gmp json libedit +modern-kernel python +readline static-libs test xtables" +RESTRICT="test? ( userpriv ) !test? ( test )" RDEPEND=" >=net-libs/libmnl-1.0.4:0= @@ -43,11 +44,12 @@ RDEPEND=" DEPEND="${RDEPEND}" BDEPEND+=" + virtual/pkgconfig doc? ( app-text/asciidoc >=app-text/docbook2X-0.8.8-r4 ) - virtual/pkgconfig + python? ( ${PYTHON_DEPS} ) " REQUIRED_USE=" @@ -55,6 +57,11 @@ REQUIRED_USE=" libedit? ( !readline ) " +PATCHES=( + "${FILESDIR}"/${P}-optimize-segfault.patch + "${FILESDIR}"/${P}-test-shell-sets.patch +) + pkg_setup() { if kernel_is ge 3 13; then if use modern-kernel && kernel_is lt 3 18; then @@ -70,13 +77,9 @@ pkg_setup() { src_prepare() { default - # fix installation path for doc stuff - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels@' \ - -i files/nftables/Makefile.am || die - sed '/^pkgsysconfdir/s@${sysconfdir}.*$@${docdir}/skels/osf@' \ - -i files/osf/Makefile.am || die - - eautoreconf + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi if use python; then pushd py >/dev/null || die @@ -119,6 +122,17 @@ src_compile() { fi } +src_test() { + emake check + + edo tests/shell/run-tests.sh -v + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + src_install() { default @@ -128,6 +142,11 @@ src_install() { popd >/dev/null || die fi + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + local mksuffix="$(usex modern-kernel '-mk' '')" exeinto /usr/libexec/${PN} @@ -149,7 +168,7 @@ src_install() { pkg_postinst() { local save_file - save_file="${EROOT}/var/lib/nftables/rules-save" + save_file="${EROOT}"/var/lib/nftables/rules-save # In order for the nftables-restore systemd service to start # the save_file must exist. @@ -172,6 +191,7 @@ pkg_postinst() { elog "the nftables-restore service must be manually started in order to" elog "save those rules on shutdown." fi + if has_version 'sys-apps/openrc'; then elog "If you wish to enable the firewall rules on boot (on openrc) you" elog "will need to enable the nftables service."
